CVE-2024-3353 |
Description: A vulnerability was found in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file admin/mod_reports/index.php. The manipulation of the argument categ/end leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259457 was assigned to this vulnerability. Eine kritische Schwachstelle wurde in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 gefunden. Dies betrifft einen unbekannten Teil der Datei admin/mod_reports/index.php. Dank der Manipulation des Arguments categ/end mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.21% SSVC Exploitation: poc
February 27th, 2025 (4 months ago)
|
CVE-2024-3347 |
SourceCodester Airline Ticket Reservation System activate_jet_details_form_handler.php sql injection
Description: A vulnerability was found in SourceCodester Airline Ticket Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file activate_jet_details_form_handler.php. The manipulation of the argument jet_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259451. Eine Schwachstelle wurde in SourceCodester Airline Ticket Reservation System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei activate_jet_details_form_handler.php. Mittels dem Manipulieren des Arguments jet_id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.3% SSVC Exploitation: poc
February 27th, 2025 (4 months ago)
|
CVE-2024-29741 |
Description: In pblS2mpuResume of s2mpu.c, there is a possible mitigation bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS: HIGH (7.8) EPSS Score: 0.02% SSVC Exploitation: none
February 27th, 2025 (4 months ago)
|
CVE-2025-1691 |
Description: The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-1691
https://jira.mongodb.org/browse/MONGOSH-2024
https://github.com/advisories/GHSA-43g5-2wr2-q7vj
CVSS: HIGH (7.6) EPSS Score: 0.05%
February 27th, 2025 (4 months ago)
|
CVE-2025-23687 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in simonhunter Woo Store Mode allows Reflected XSS. This issue affects Woo Store Mode: from n/a through 1.0.1.
CVSS: HIGH (7.1) EPSS Score: 0.04% SSVC Exploitation: none
February 27th, 2025 (4 months ago)
|
CVE-2025-1756 |
Description: mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules\. This issue affects mongosh prior to 2.3.0
CVSS: HIGH (7.5) EPSS Score: 0.01%
February 27th, 2025 (4 months ago)
|
CVE-2025-1755 |
Description: MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1
CVSS: HIGH (7.5) EPSS Score: 0.01%
February 27th, 2025 (4 months ago)
|
CVE-2025-22280 |
Description: Missing Authorization vulnerability in revmakx DefendWP Firewall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DefendWP Firewall: from n/a through 1.1.0.
CVSS: HIGH (7.6) EPSS Score: 0.03% SSVC Exploitation: none
February 27th, 2025 (4 months ago)
|
CVE-2025-27154 |
Description: Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
CVSS: HIGH (8.4) EPSS Score: 0.01%
February 27th, 2025 (4 months ago)
|
CVE-2024-9334 |
Description: Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass.This issue affects Pallium Vehicle Tracking: before 17.10.2024.
CVSS: HIGH (8.2) EPSS Score: 0.06%
February 27th, 2025 (4 months ago)
|